I need to provide security requirements for public API keys that will be generated by a web application and then used in automation scripts by clients.
The scripts will be run on the endpoints several times a day via a cronjob.
The risk of a key exposure is very high since whoever steals these scripts, will be able to execute OS commands remotely on the client domains.
I need to prevent this kind of theft risk while keeping the UX as simple as possible.
For now, I’ve prepared the following requirements:
- The key will be generated by the web application, after logging in to the application.
- IP addresses will be paired with the key so that only the IP that generated the key can use the key.
- The key will inherit the permissions on the endpoint of the user who generated it.
- The user will select the set of authorised actions allowed by the key- e.g. running actions, downloading reports, etc.
- The keys will be strings with 40 random alphanumeric and special characters in size. (minimal size, could be longer than that) or GUIDs.
- The API will have a request rate limiting.
- Users should be guided not to hardcode the key in the scripts. The scripts should receive them as a parameter from the user.
- The keys will be revoked automatically after 30 days.
- Admins will be able to revoke the keys manually.
- The key will NOT be transferred as a part of the URL, only in a header or the request body.
What do you think about these recommendations?